Analytics Story: AwfulShred

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.

Why it matters

AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Auditd Data Destruction Command Data Destruction TTP
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Linux Auditd Service Restarted Systemd Timers Anomaly
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Stop Services Service Stop Hunting
Linux Data Destruction Command Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Services File Deletion, Data Destruction TTP
Linux Disable Services Service Stop TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools Hunting
Linux Indicator Removal Clear Cache Indicator Removal TTP
Linux Indicator Removal Service File Deletion File Deletion Anomaly
Linux Service Restarted Systemd Timers Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Stop Services Service Stop TTP
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Execve Linux icon Linux auditd auditd
Linux Auditd Proctitle Linux icon Linux auditd auditd
Linux Auditd Service Stop Linux icon Linux auditd auditd
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References


Source: GitHub | Version: 1